* [PATCH V2 0/3] Add ability to set clear text password and fix zap_root_password
@ 2013-12-11 5:56 Qi.Chen
2013-12-11 5:56 ` [PATCH V2 1/3] shadow-native: allow for setting password in clear text Qi.Chen
` (2 more replies)
0 siblings, 3 replies; 4+ messages in thread
From: Qi.Chen @ 2013-12-11 5:56 UTC (permalink / raw)
To: openembedded-core
From: Chen Qi <Qi.Chen@windriver.com>
Changes since V1:
Modify the code of zap_root_password and rename the function to zap_empty_root_password
to better reflect it's original intent.
The following changes since commit 853f5db48f4cfcb34345938b583874fe5b6fc678:
nativesdk.bbclass: support nativesdk to override with the PACKAGES_DYNAMIC statement (2013-12-09 21:36:33 +0000)
are available in the git repository at:
git://git.pokylinux.org/poky-contrib ChenQi/cleartext-password
http://git.pokylinux.org/cgit.cgi/poky-contrib/log/?h=ChenQi/cleartext-password
Chen Qi (3):
shadow-native: allow for setting password in clear text
image.bbclass: fix for zap_root_password
useradd-example: add example for setting clear text password
.../recipes-skeleton/useradd/useradd-example.bb | 3 +-
meta/classes/core-image.bbclass | 2 +-
meta/classes/image.bbclass | 14 +-
.../allow-for-setting-password-in-clear-text.patch | 208 ++++++++++++++++++++
meta/recipes-extended/shadow/shadow.inc | 1 +
5 files changed, 220 insertions(+), 8 deletions(-)
create mode 100644 meta/recipes-extended/shadow/files/allow-for-setting-password-in-clear-text.patch
--
1.7.9.5
^ permalink raw reply [flat|nested] 4+ messages in thread
* [PATCH V2 1/3] shadow-native: allow for setting password in clear text
2013-12-11 5:56 [PATCH V2 0/3] Add ability to set clear text password and fix zap_root_password Qi.Chen
@ 2013-12-11 5:56 ` Qi.Chen
2013-12-11 5:57 ` [PATCH V2 2/3] image.bbclass: fix for zap_root_password Qi.Chen
2013-12-11 5:57 ` [PATCH V2 3/3] useradd-example: add example for setting clear text password Qi.Chen
2 siblings, 0 replies; 4+ messages in thread
From: Qi.Chen @ 2013-12-11 5:56 UTC (permalink / raw)
To: openembedded-core
From: Chen Qi <qi.chen@windriver.com>
Allow user to set password in clear text. This is convenient when
we're building out an image.
This feature is mainly used by useradd.bbclass and extrausers.bbclass.
This patch adds a new option '-P' to useradd, usermod, groupadd and groupmod
commands provided by shadow-native. The shadow package on target and in SDK
will not be affected.
[YOCTO #5365]
Signed-off-by: Chen Qi <Qi.Chen@windriver.com>
---
.../allow-for-setting-password-in-clear-text.patch | 208 ++++++++++++++++++++
meta/recipes-extended/shadow/shadow.inc | 1 +
2 files changed, 209 insertions(+)
create mode 100644 meta/recipes-extended/shadow/files/allow-for-setting-password-in-clear-text.patch
diff --git a/meta/recipes-extended/shadow/files/allow-for-setting-password-in-clear-text.patch b/meta/recipes-extended/shadow/files/allow-for-setting-password-in-clear-text.patch
new file mode 100644
index 0000000..eafb935
--- /dev/null
+++ b/meta/recipes-extended/shadow/files/allow-for-setting-password-in-clear-text.patch
@@ -0,0 +1,208 @@
+Upstream-Status: Inappropriate [OE specific]
+
+Allow for setting password in clear text.
+
+Signed-off-by: Chen Qi <Qi.Chen@windriver.com>
+
+---
+ src/Makefile.am | 8 ++++----
+ src/groupadd.c | 8 +++++++-
+ src/groupmod.c | 9 ++++++++-
+ src/useradd.c | 9 +++++++--
+ src/usermod.c | 10 ++++++++--
+ 5 files changed, 34 insertions(+), 10 deletions(-)
+
+diff --git a/src/Makefile.am b/src/Makefile.am
+index 6a3b4c5..1ffdbc6 100644
+--- a/src/Makefile.am
++++ b/src/Makefile.am
+@@ -76,10 +76,10 @@ chgpasswd_LDADD = $(LDADD) $(LIBPAM_SUID) $(LIBSELINUX) $(LIBCRYPT)
+ chsh_LDADD = $(LDADD) $(LIBPAM) $(LIBSELINUX) $(LIBCRYPT_NOPAM) $(LIBSKEY) $(LIBMD)
+ chpasswd_LDADD = $(LDADD) $(LIBPAM) $(LIBSELINUX) $(LIBCRYPT)
+ gpasswd_LDADD = $(LDADD) $(LIBAUDIT) $(LIBSELINUX) $(LIBCRYPT)
+-groupadd_LDADD = $(LDADD) $(LIBPAM_SUID) $(LIBAUDIT) $(LIBSELINUX)
++groupadd_LDADD = $(LDADD) $(LIBPAM_SUID) $(LIBAUDIT) $(LIBSELINUX) $(LIBCRYPT)
+ groupdel_LDADD = $(LDADD) $(LIBPAM_SUID) $(LIBAUDIT) $(LIBSELINUX)
+ groupmems_LDADD = $(LDADD) $(LIBPAM) $(LIBSELINUX)
+-groupmod_LDADD = $(LDADD) $(LIBPAM_SUID) $(LIBAUDIT) $(LIBSELINUX)
++groupmod_LDADD = $(LDADD) $(LIBPAM_SUID) $(LIBAUDIT) $(LIBSELINUX) $(LIBCRYPT)
+ grpck_LDADD = $(LDADD) $(LIBSELINUX)
+ grpconv_LDADD = $(LDADD) $(LIBSELINUX)
+ grpunconv_LDADD = $(LDADD) $(LIBSELINUX)
+@@ -99,9 +99,9 @@ su_SOURCES = \
+ suauth.c
+ su_LDADD = $(LDADD) $(LIBPAM) $(LIBCRYPT_NOPAM) $(LIBSKEY) $(LIBMD)
+ sulogin_LDADD = $(LDADD) $(LIBCRYPT)
+-useradd_LDADD = $(LDADD) $(LIBPAM_SUID) $(LIBAUDIT) $(LIBSELINUX)
++useradd_LDADD = $(LDADD) $(LIBPAM_SUID) $(LIBAUDIT) $(LIBSELINUX) $(LIBCRYPT)
+ userdel_LDADD = $(LDADD) $(LIBPAM_SUID) $(LIBAUDIT) $(LIBSELINUX)
+-usermod_LDADD = $(LDADD) $(LIBPAM_SUID) $(LIBAUDIT) $(LIBSELINUX)
++usermod_LDADD = $(LDADD) $(LIBPAM_SUID) $(LIBAUDIT) $(LIBSELINUX) $(LIBCRYPT)
+ vipw_LDADD = $(LDADD) $(LIBSELINUX)
+
+ install-am: all-am
+diff --git a/src/groupadd.c b/src/groupadd.c
+index 66b38de..3157486 100644
+--- a/src/groupadd.c
++++ b/src/groupadd.c
+@@ -124,6 +124,7 @@ static void usage (void)
+ (void) fputs (_(" -o, --non-unique allow to create groups with duplicate\n"
+ " (non-unique) GID\n"), stderr);
+ (void) fputs (_(" -p, --password PASSWORD use this encrypted password for the new group\n"), stderr);
++ (void) fputs (_(" -P, --clear-password PASSWORD use this clear text password for the new group\n"), stderr);
+ (void) fputs (_(" -R, --root CHROOT_DIR directory to chroot into\n"), stderr);
+ (void) fputs (_(" -r, --system create a system account\n"), stderr);
+ (void) fputs ("\n", stderr);
+@@ -388,13 +389,14 @@ static void process_flags (int argc, char **argv)
+ {"key", required_argument, NULL, 'K'},
+ {"non-unique", no_argument, NULL, 'o'},
+ {"password", required_argument, NULL, 'p'},
++ {"clear-password", required_argument, NULL, 'P'},
+ {"root", required_argument, NULL, 'R'},
+ {"system", no_argument, NULL, 'r'},
+ {NULL, 0, NULL, '\0'}
+ };
+
+ while ((c =
+- getopt_long (argc, argv, "fg:hK:op:R:r", long_options,
++ getopt_long (argc, argv, "fg:hK:op:P:R:r", long_options,
+ &option_index)) != -1) {
+ switch (c) {
+ case 'f':
+@@ -446,6 +448,10 @@ static void process_flags (int argc, char **argv)
+ pflg = true;
+ group_passwd = optarg;
+ break;
++ case 'P':
++ pflg = true;
++ group_passwd = pw_encrypt (optarg, crypt_make_salt (NULL, NULL));
++ break;
+ case 'R':
+ if ('/' != optarg[0]) {
+ fprintf (stderr,
+diff --git a/src/groupmod.c b/src/groupmod.c
+index 27eb159..17acbc3 100644
+--- a/src/groupmod.c
++++ b/src/groupmod.c
+@@ -127,6 +127,8 @@ static void usage (void)
+ (void) fputs (_(" -o, --non-unique allow to use a duplicate (non-unique) GID\n"), stderr);
+ (void) fputs (_(" -p, --password PASSWORD change the password to this (encrypted)\n"
+ " PASSWORD\n"), stderr);
++ (void) fputs (_(" -P, --clear-password PASSWORD change the password to this (clear text)\n"
++ " PASSWORD\n"), stderr);
+ (void) fputs (_(" -R, --root CHROOT_DIR directory to chroot into\n"), stderr);
+ (void) fputs ("\n", stderr);
+ exit (E_USAGE);
+@@ -348,11 +350,12 @@ static void process_flags (int argc, char **argv)
+ {"new-name", required_argument, NULL, 'n'},
+ {"non-unique", no_argument, NULL, 'o'},
+ {"password", required_argument, NULL, 'p'},
++ {"clear-password", required_argument, NULL, 'P'},
+ {"root", required_argument, NULL, 'R'},
+ {NULL, 0, NULL, '\0'}
+ };
+ while ((c =
+- getopt_long (argc, argv, "g:hn:op:R:",
++ getopt_long (argc, argv, "g:hn:op:P:R:",
+ long_options, &option_index)) != -1) {
+ switch (c) {
+ case 'g':
+@@ -376,6 +379,10 @@ static void process_flags (int argc, char **argv)
+ group_passwd = optarg;
+ pflg = true;
+ break;
++ case 'P':
++ group_passwd = pw_encrypt (optarg, crypt_make_salt (NULL, NULL));
++ pflg = true;
++ break;
+ case 'R':
+ if ('/' != optarg[0]) {
+ fprintf (stderr,
+diff --git a/src/useradd.c b/src/useradd.c
+index 2102630..390909c 100644
+--- a/src/useradd.c
++++ b/src/useradd.c
+@@ -716,6 +716,7 @@ static void usage (void)
+ (void) fputs (_(" -o, --non-unique allow to create users with duplicate\n"
+ " (non-unique) UID\n"), stderr);
+ (void) fputs (_(" -p, --password PASSWORD encrypted password of the new account\n"), stderr);
++ (void) fputs (_(" -P, --clear-password PASSWORD clear text password of the new account\n"), stderr);
+ (void) fputs (_(" -R, --root CHROOT_DIR directory to chroot into\n"), stderr);
+ (void) fputs (_(" -r, --system create a system account\n"), stderr);
+ (void) fputs (_(" -s, --shell SHELL login shell of the new account\n"), stderr);
+@@ -1035,6 +1036,7 @@ static void process_flags (int argc, char **argv)
+ {"no-user-group", no_argument, NULL, 'N'},
+ {"non-unique", no_argument, NULL, 'o'},
+ {"password", required_argument, NULL, 'p'},
++ {"clear-password", required_argument, NULL, 'P'},
+ {"root", required_argument, NULL, 'R'},
+ {"system", no_argument, NULL, 'r'},
+ {"shell", required_argument, NULL, 's'},
+@@ -1047,9 +1049,9 @@ static void process_flags (int argc, char **argv)
+ };
+ while ((c = getopt_long (argc, argv,
+ #ifdef WITH_SELINUX
+- "b:c:d:De:f:g:G:k:K:lmMNop:R:rs:u:UZ:",
++ "b:c:d:De:f:g:G:k:K:lmMNop:P:R:rs:u:UZ:",
+ #else
+- "b:c:d:De:f:g:G:k:K:lmMNop:R:rs:u:U",
++ "b:c:d:De:f:g:G:k:K:lmMNop:P:R:rs:u:U",
+ #endif
+ long_options, NULL)) != -1) {
+ switch (c) {
+@@ -1214,6 +1216,9 @@ static void process_flags (int argc, char **argv)
+ }
+ user_pass = optarg;
+ break;
++ case 'P': /* set clear text password */
++ user_pass = pw_encrypt (optarg, crypt_make_salt (NULL, NULL));
++ break;
+ case 'R':
+ /* no-op since we handled this in process_root_flag() earlier */
+ break;
+diff --git a/src/usermod.c b/src/usermod.c
+index 8363597..f4c1cee 100644
+--- a/src/usermod.c
++++ b/src/usermod.c
+@@ -325,6 +325,7 @@ static void usage (void)
+ " new location (use only with -d)\n"
+ " -o, --non-unique allow using duplicate (non-unique) UID\n"
+ " -p, --password PASSWORD use encrypted password for the new password\n"
++ " -P, --clear-password PASSWORD use clear text password for the new password\n"
+ " -R --root CHROOT_DIR directory to chroot into\n"
+ " -s, --shell SHELL new login shell for the user account\n"
+ " -u, --uid UID new UID for the user account\n"
+@@ -950,6 +951,7 @@ static void process_flags (int argc, char **argv)
+ {"move-home", no_argument, NULL, 'm'},
+ {"non-unique", no_argument, NULL, 'o'},
+ {"password", required_argument, NULL, 'p'},
++ {"clear-password", required_argument, NULL, 'P'},
+ {"root", required_argument, NULL, 'R'},
+ #ifdef WITH_SELINUX
+ {"selinux-user", required_argument, NULL, 'Z'},
+@@ -961,9 +963,9 @@ static void process_flags (int argc, char **argv)
+ };
+ while ((c = getopt_long (argc, argv,
+ #ifdef WITH_SELINUX
+- "ac:d:e:f:g:G:hl:Lmop:R:s:u:UZ:",
++ "ac:d:e:f:g:G:hl:Lmop:P:R:s:u:UZ:",
+ #else
+- "ac:d:e:f:g:G:hl:Lmop:R:s:u:U",
++ "ac:d:e:f:g:G:hl:Lmop:P:R:s:u:U",
+ #endif
+ long_options, NULL)) != -1) {
+ switch (c) {
+@@ -1055,6 +1057,10 @@ static void process_flags (int argc, char **argv)
+ user_pass = optarg;
+ pflg = true;
+ break;
++ case 'P':
++ user_pass = pw_encrypt (optarg, crypt_make_salt (NULL, NULL));
++ pflg = true;
++ break;
+ case 'R':
+ /* no-op since we handled this in process_root_flag() earlier */
+ break;
+--
+1.7.9.5
+
diff --git a/meta/recipes-extended/shadow/shadow.inc b/meta/recipes-extended/shadow/shadow.inc
index 33ecc7d..f77a78a 100644
--- a/meta/recipes-extended/shadow/shadow.inc
+++ b/meta/recipes-extended/shadow/shadow.inc
@@ -32,6 +32,7 @@ SRC_URI_append_class-native = " \
file://disable-syslog.patch \
file://useradd.patch \
file://add_root_cmd_groupmems.patch \
+ file://allow-for-setting-password-in-clear-text.patch \
"
SRC_URI_append_class-nativesdk = " \
file://add_root_cmd_options.patch \
--
1.7.9.5
^ permalink raw reply related [flat|nested] 4+ messages in thread
* [PATCH V2 2/3] image.bbclass: fix for zap_root_password
2013-12-11 5:56 [PATCH V2 0/3] Add ability to set clear text password and fix zap_root_password Qi.Chen
2013-12-11 5:56 ` [PATCH V2 1/3] shadow-native: allow for setting password in clear text Qi.Chen
@ 2013-12-11 5:57 ` Qi.Chen
2013-12-11 5:57 ` [PATCH V2 3/3] useradd-example: add example for setting clear text password Qi.Chen
2 siblings, 0 replies; 4+ messages in thread
From: Qi.Chen @ 2013-12-11 5:57 UTC (permalink / raw)
To: openembedded-core
From: Chen Qi <Qi.Chen@windriver.com>
Previously, this function replaces the root password with '*' if
'debug-tweaks' is not in IMAGE_FEATURES. It not only zaps empty root
password, but also zaps non-empty root password. That means, if the
user uses a bbappend file for base-passwd to set the root password, he
would not be able to login as root; if the user uses 'EXTRA_USERS_PARAMS'
to set the root password, he would still not be able to login as root.
What we really want from this function is to disallow empty root password
if 'debug-tweaks' is not in IMAGE_FEATURES. This function should not remove
non-empty root password because that password is usually deliberately set
by the user.
This patch renames zap_root_password to zap_empty_root_password to
better reflect the intent of this function. It also modifies the code
to make this function work correctly.
Signed-off-by: Chen Qi <Qi.Chen@windriver.com>
---
meta/classes/core-image.bbclass | 2 +-
meta/classes/image.bbclass | 14 ++++++++------
2 files changed, 9 insertions(+), 7 deletions(-)
diff --git a/meta/classes/core-image.bbclass b/meta/classes/core-image.bbclass
index e7c34e2..fc4bd2f 100644
--- a/meta/classes/core-image.bbclass
+++ b/meta/classes/core-image.bbclass
@@ -74,7 +74,7 @@ inherit image
ROOTFS_POSTPROCESS_COMMAND += "rootfs_update_timestamp ; "
# Zap the root password if debug-tweaks feature is not enabled
-ROOTFS_POSTPROCESS_COMMAND += '${@base_contains("IMAGE_FEATURES", "debug-tweaks", "", "zap_root_password ; ",d)}'
+ROOTFS_POSTPROCESS_COMMAND += '${@base_contains("IMAGE_FEATURES", "debug-tweaks", "", "zap_empty_root_password ; ",d)}'
# Tweak the mount options for rootfs in /etc/fstab if read-only-rootfs is enabled
ROOTFS_POSTPROCESS_COMMAND += '${@base_contains("IMAGE_FEATURES", "read-only-rootfs", "read_only_rootfs_hook; ", "",d)}'
diff --git a/meta/classes/image.bbclass b/meta/classes/image.bbclass
index 168f283..c6d9db8 100644
--- a/meta/classes/image.bbclass
+++ b/meta/classes/image.bbclass
@@ -562,11 +562,13 @@ rootfs_uninstall_unneeded () {
fi
}
-# set '*' as the root password so the images
-# can decide if they want it or not
-zap_root_password () {
- sed 's%^root:[^:]*:%root:*:%' < ${IMAGE_ROOTFS}/etc/passwd >${IMAGE_ROOTFS}/etc/passwd.new
- mv ${IMAGE_ROOTFS}/etc/passwd.new ${IMAGE_ROOTFS}/etc/passwd
+# This function is intended to disallow empty root password if 'debug-tweaks' is not in IMAGE_FEATURES.
+zap_empty_root_password () {
+ if [ -e ${IMAGE_ROOTFS}/etc/shadow ]; then
+ sed -i 's%^root::%root:*:%' ${IMAGE_ROOTFS}/etc/shadow
+ elif [ -e ${IMAGE_ROOTFS}/etc/passwd ]; then
+ sed -i 's%^root::%root:*:%' ${IMAGE_ROOTFS}/etc/passwd
+ fi
}
# allow dropbear/openssh to accept root logins and logins from accounts with an empty password string
@@ -648,7 +650,7 @@ rootfs_sysroot_relativelinks () {
sysroot-relativelinks.py ${SDK_OUTPUT}/${SDKTARGETSYSROOT}
}
-EXPORT_FUNCTIONS zap_root_password remove_init_link do_rootfs make_zimage_symlink_relative set_image_autologin rootfs_update_timestamp rootfs_no_x_startup
+EXPORT_FUNCTIONS zap_empty_root_password remove_init_link do_rootfs make_zimage_symlink_relative set_image_autologin rootfs_update_timestamp rootfs_no_x_startup
do_fetch[noexec] = "1"
do_unpack[noexec] = "1"
--
1.7.9.5
^ permalink raw reply related [flat|nested] 4+ messages in thread
* [PATCH V2 3/3] useradd-example: add example for setting clear text password
2013-12-11 5:56 [PATCH V2 0/3] Add ability to set clear text password and fix zap_root_password Qi.Chen
2013-12-11 5:56 ` [PATCH V2 1/3] shadow-native: allow for setting password in clear text Qi.Chen
2013-12-11 5:57 ` [PATCH V2 2/3] image.bbclass: fix for zap_root_password Qi.Chen
@ 2013-12-11 5:57 ` Qi.Chen
2 siblings, 0 replies; 4+ messages in thread
From: Qi.Chen @ 2013-12-11 5:57 UTC (permalink / raw)
To: openembedded-core
From: Chen Qi <Qi.Chen@windriver.com>
Use '-P' option for user3 to set a clear text password. This is supposed
to serve as an example of how to set clear text password in recipes.
Signed-off-by: Chen Qi <Qi.Chen@windriver.com>
---
.../recipes-skeleton/useradd/useradd-example.bb | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/meta-skeleton/recipes-skeleton/useradd/useradd-example.bb b/meta-skeleton/recipes-skeleton/useradd/useradd-example.bb
index 53d2340..2f8d9b0 100644
--- a/meta-skeleton/recipes-skeleton/useradd/useradd-example.bb
+++ b/meta-skeleton/recipes-skeleton/useradd/useradd-example.bb
@@ -32,7 +32,8 @@ USERADD_PACKAGES = "${PN} ${PN}-user3"
USERADD_PARAM_${PN} = "-u 1200 -d /home/user1 -r -s /bin/bash user1; -u 1201 -d /home/user2 -r -s /bin/bash user2"
# user3 will be managed in the useradd-example-user3 pacakge:
-USERADD_PARAM_${PN}-user3 = "-u 1202 -d /home/user3 -r -s /bin/bash user3"
+# As an example, we use the -P option to set clear text password for user3
+USERADD_PARAM_${PN}-user3 = "-u 1202 -d /home/user3 -r -s /bin/bash -P 'user3' user3"
# GROUPADD_PARAM works the same way, which you set to the options
# you'd normally pass to the groupadd command. This will create
--
1.7.9.5
^ permalink raw reply related [flat|nested] 4+ messages in thread
end of thread, other threads:[~2013-12-11 5:56 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2013-12-11 5:56 [PATCH V2 0/3] Add ability to set clear text password and fix zap_root_password Qi.Chen
2013-12-11 5:56 ` [PATCH V2 1/3] shadow-native: allow for setting password in clear text Qi.Chen
2013-12-11 5:57 ` [PATCH V2 2/3] image.bbclass: fix for zap_root_password Qi.Chen
2013-12-11 5:57 ` [PATCH V2 3/3] useradd-example: add example for setting clear text password Qi.Chen
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.